BGSU Data Handling Guidelines

This document provides guidance in compliance with the BGSU Data Use & Protection Policy. It is the responsibility of each data user to provide for the secure handling of data throughout the life cycle of the data, including data at rest, data in transit, and data disposal. The following guidelines represent a summary of best practices for your guidance; however, every situation is unique. Some situations may require additional steps. If you have additional questions, please contact the BGSU Information Security Office.

Poor physical security of data can circumvent other controls and protections in place. As with other forms of security, it is best to provide multiple layers of protection rather than depending on one method of protection as the entire defense strategy.

Use the following guidelines in physically securing data:

1. Log out or turn off computer when leaving for long periods. For short periods, lock your computer before going away or set screen saver with password enabled.

2. Lock the door when you leave the work area.

3. Use locks, cables, and other security devices if the computer is in public or unsecure area. Consider redacting or removing “limited access” or “restricted” information under these circumstances.

4. Report suspicious people and activity in high security areas to the BGSU police.

5. Maintain awareness of those having access to your office. If necessary, require an attendance log for areas requiring high security.

1. Encrypt “limited access” and “restricted” data at rest using University supported encryption technology. For example, BGSU currently uses PGP’s suite of products for encryption of an entire hard drive as well as for partial drive and individual file encryption.

2. While it is important to backup your data, limit unnecessary duplication of “limited access” and “restricted” data. Additionally, avoid storing data on external media that can be easily lost, stolen or misplaced. If you do store “limited access” or “restricted data” on external media then it must be encrypted and then securely erased when it is no longer needed.

3. Follow basic computer security best practices on computers that store BGSU data. This includes installing software and operating system updates, maintaining current anti-virus protection, and enabling firewall protection.

4. Refrain from installing untested or unsupported software. Only use software necessary to complete necessary work tasks.

7. Avoid downloading and installing any software encouraged by a pop-up window or unexpected e-mail attachments.

8. Limit the amount of “limited” and “restricted” data you store on your computer, CDs/DVDs, flash drives, external hard drives and other storage media. Only store what you need to accomplish your job duties.

II. DATA IN TRANSIT

Data in Transit is data transferred between a server and a desktop or laptop computer in a network. Data is susceptible to interception when transmitted over public networks. It is imperative to encrypt “limited access” and “restricted” data when transferred across networks to protect against loss.

A. Web sites – Any websites created by BGSU used to access or submit “limited access” or “restricted” data must use “HTTPS”, also known as secure socket layer (SSL) technology. Additionally, BGSU employees submitting “limited access” or “restricted” data to authorized agencies via web sites must only do so if the web site is HTTPS or SSL enabled.

C. Virtual Private Networks (VPNs) – when establishing connections to or from non-BGSU networks to the BGSU network in which “limited access” or “restricted” data will be accessed, a VPN connection should be used.

D. Electronic Mail – Despite the use of some encryption on the BGSU email system, email is not an inherently secure method for transferring “limited access” or “restricted” data. Users are encouraged avoid transferring “limited access” or “restricted” data over email. If users do send “limited access” or “restricted” data via email they must only do so onlyFROM and TO BGSU email accounts and only to those authorized to receive the information. If the recipient does not have a BGSU email account AND is authorized to obtain the information AND the only way to transmit the information is via email, then the data must use additional encryption methods such as PGP.

III. DATA DISPOSAL

Data Disposal means the secure destruction and/or erasure of electronic devices. Use the following steps for secure data disposal.

A. Identify data that requires secure disposal, such as data classified as “Limited Access” or “Restricted.”

BGSU offers alternative versions of all of its pages for our users. You can select the high-contrast version below to persist throughout your BGSU website experience.

Bowling Green State University (BGSU) has built their website around the Standards of the World Wide Web Consortium's (W3C) Hyper Text Markup Language (HTML) 5 and Cascading Style Sheets (CSS). The website was built in compliance with the accessibility standards established by section 508 of the Rehabilitation Act and detailed in section 1194.22 of the Code of Federal Regulations, "Web-based intranet and internet information and applications" (https://www.section508.gov/).

BGSU utilizes many web masters across campus to maintain all of its web properties. Keeping the BGSU website in compliance with section 508 is a joint effort between Accessibility Services, Marketing and Communications and Information Technology Services. If any page is discovered to be inaccessible, please report it using the above link and we will ensure that the issue is addressed.

EVENTS

To our guests with disabilities, please indicate if you need special services, assistance or appropriate modifications to fully participate in this event by contacting Accessibility Services, access@bgsu.edu, 419-372-8495. Please notify us prior to the event.